Purple Protocol Lab Manual
Version 1.3.3.7
Cover

Lab 1

Threat Intelligence

The first step to emulating an adversary is to identify and understand that adversary.  As famously quoted in Sun Tzu’s Art of War “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”  This lab covers the “Know the enemy” part.

In this lab, we will dive into understanding how to recognize and analyze the Tactics, Techniques, and Procedures (TTPs) used by Advanced Persistent Threats (APTs). As cyber threats become more sophisticated, it's essential for security professionals to not only detect attacks but also understand the methods adversaries use to infiltrate and navigate systems.

By the end of the lab, you should be able to do the following:

1)
On your lab VM’s desktop, double click the "MITRE ATT&CK" icon
Screenshot
Screenshot
2)
Click "CTI > Groups"
Screenshot
Tip
Take a moment to scroll through this page.  At the time of creating this workshop, MITRE had 163 APTs listed here with all of their associated groups alongside it.  These groups are either the same group with the same name or a spin-off group that have very similar TTPs due to the actual hands-on-keyboard threat actors being some of the same people.  The description also may tell you what countries they typically target and/or what industries they are known to target.  For example:

Screenshot

The purpose of this Cyber Threat Intelligence (CTI) is to be able to identify adversaries that are known to attack organizations similar to your own, whether that is your company’s HQ location or industry.  These are the threat actors most likely to attack your organization.  Try to find an APT that is known to target your industry and organizations where your company is headquartered and take note of that APT for later.

3)
Select G0007 (APT28).
Screenshot

Scroll Down to see the "Techniques Used" for this threat actor.

Screenshot

Here you can see all the techniques that APT28 has been known to use against other organizations.

MITRE has a great, open-source application called “MITRE ATT&CK Navigator” to help visualize the known TTPs of Threat Actors in their database.

4)
On the desktop of your Lab VM, double click "ATT&CK Navigator"
5)
Click on Create New Layer > Enterprise ATT&CK:
Screenshot
6)
Click on the Magnifying Glass at the top right, scroll to “Threat Groups” and select “APT 28”:
Screenshot
7)
Under “Layer Controls” select “Expand Subtechniques”:
Screenshot
8)
Click on “Technique Controls” > Background Color > Red (because red means bad)
Screenshot
Tip
Take a moment to navigate through the ATT&CK Navigator.  These are the known techniques used by APT 28 to achieve their objective when attacking an organization.  These same steps can be repeated for any threat actor in this database to help plan your adversary emulation techniques for your Purple Team.  The Tactics (or phases) of the attack chain are the columns for each of these items.  The Techniques (and Sub-Techniques) are the items below each column.  You can follow the attack chain of these threat actors from Recon to Impact and see exactly which types of techniques they deploy to complete each phase of their attack.
Screenshot

Now that we have created a Layer with APT28, consider your organization.

Industry

Finance

Critical Infrastructure

Healthcare

Government

Etc.

Country or Region

USA based organization

Foreign based organization

Which countries are considered an adversary of the country the organization is based?

9)
Utilize MITRE CTI to find a threat actor that typically targets organizations similar to yours and add them to MITRE ATT&CK Navigator under a new layer by hitting the + sign to add a new tab:
Screenshot

Note any overlaps in Techniques used as well as any differences.  These Tactics Techniques and Procedures (TTPs) are what we emulate in order to understand what our adversary is likely to do when attacking our organization.  By understanding these TTPs we can emulate them in order to test our defenses and understand where our visibility gaps are.  TTPs are interesting.  As you mature as a hacker, you slowly develop what is often referred to as a “Methodology”.  These are the steps you take when enumerating machines you are testing, the tools you become comfortable with and gravitate to, the path you take to dump credentials or laterally move, etc.  You will develop a “fingerprint” of your own in the same way any Threat Actor does.  That is essentially what TTPs are, the fingerprint of a Threat Actor.  This is typically how Threat Actors are identified and categorized post breach.

Lab 2

Atomic Red Team Framework

This lab will go over Red Canary’s Atomic Red Team Framework.  Atomic Red Team is a library of techniques, scripts, and test case execution automation, all mapped to MITRE ATT&CK’s Technique Numbers.  These tests built for each Technique are referred to as “atomics”.  This makes it easy to cross reference MITRE ATT&CK CTI Threat Actors and their Techniques to Atomic Red Team’s Atomics.

By the end of this lab you should be able to do the following:

Note
If network connectivity allows start at “1)”, otherwise skip to “2)”
1)
Navigate to https://AtomicRedTeam.io/
Screenshot

Scroll to “Projects” and click on “ATOMIC RED TEAM”

Screenshot

This is the library of Techniques, Test Cases for the Techniques, and how to execute them.  Red Canary labels these tests as “Atomics”.  There are often many Atomics per technique and sub-technique allowing for a wide variety of ways to test any given technique or situation.  You can search for the MITRE ATT&CK Technique number in the search bar to find a specific Atomic matching that technique.

Screenshot
2)
Due to past experiences with network connectivity issues at DEF CON during workshops, we decided to locally import all of the test cases from the Atomic Red Team framework onto the VM directly to mitigate any potential network issues getting in the way of the workshop. 
3)
On the Desktop of your VM you should see a folder called "Atomic Red Team". Double click this to open the folder.
Screenshot

Inside of this are all the Atomics stored locally inside of the VM.  We will demonstrate how to utilize these Atomics in this lab.

4)
Scroll to T1059.003 and double click to open:
T1059.003 folder highlighted
5)
Double click on the Markdown Source File:
Double click on the Markdown Source File

Here you will see Atomic Red Team’s explanation of the technique.  In this case, it is “Command and Scripting Interpreter: Windows Command Shell”

Screenshot

Atomic Red Team has features that allow for automation of test case execution.  We will not be going over the automation portion of Atomic Red Team in this workshop, we will be executing test cases manually.

6)
Back inside the previous T1059.003 folder, open the SRC folder:
Screenshot

Inside of here you will see one “Windows Command Script” file.  Right click and edit this file:
Screenshot

This is a very basic script.  This is essentially just a script that calls command prompt to execute a binary “calc.exe”.  While calc.exe is not malicious, the behavior of executing a binary in this roundabout way is suspicious and Threat Actors have been known to do this during their attack chains.  Malicious executables can be built in a few minutes that can bypass AV/EDR (ask me how I know).  Therefore, we want to detect this type of suspicious behavior as opposed to the executable itself.

7)
Open Powershell and copy/paste the following command into PowerShell: Start-Process "C:\Users\hacker\Desktop\Atomic Red Team\atomics\T1059.003\src\t1059.003_cmd.cmd"

Command prompt should have opened and then executed the command to launch calc.exe from system32:

Screenshot

Now we will use another technique that is meant to dump the memory from Local Security Authority Subsystem Service (LSASS).  My dumping the memory of the LSASS process, we can extract the cached passwords of users who have logged into the machine.  This technique is specifically relating to the dump itself though so we won’t go beyond that.

8)
Open PowerShell as Admin
9)
Use the following command to change directory to the Atomic folder:
cd ‘C:\users\hacker\Desktop\Atomic Red Team\atomics\T1003.001\src’
10)
Use the following command to bypass the execution policy for PowerShell: Set-ExecutionPolicy bypass
11)
When it asks if you want to change policy type “Y”
12)
Run the following commands:
Import-Module .\Out-Minidump.ps1
get-process lsass
get-process lsass | Out-Minidump

If this works and is not blocked, it will create a file called lsass_[Id Number].dmp in the same folder as the Out-Minidump.ps1 file:

Screenshot
Screenshot

This .dmp file holds credential information because we took a snapshot of the portion of the memory that LSASS was using.  Another way we can do the same thing is to dump it from Task Manager directly.

13)
Open Task Manager
14)
Navigate to the Details tab
15)
Right click on LSASS and click “Create dump file”
Screenshot

This will effectively do the same thing, create a memory dump of LSASS that can be pulled off the machine and credentials stolen from the dump.  The Windows Defender Antivirus may have triggered on either of these techniques.

For our next technique we’ll be destroying evidence of our wrongdoing, but before we destroy the logs let’s take a look at Event Viewer.

16)
In the VM, either type “Event Viewer” in the start menu and open it, or press Windows+X then “V” (which is the 1337 way of opening event viewer)
17)
Expand “Windows Logs”

Here you will see the 4 main categories of Windows Logs:

Application – Logs relating to applications like Microsoft Edge, Windows Management Instrumentation, .Net Runtime stuff, etc.

Security – Logs relating to authentication, file permissions, logons, etc.

Setup – Logs relating to installation, upgrades, and other OS related setup information

System – Logs related to Windows System Components, Drivers, and other critical Windows functions

Windows by default has most logs sent here.  Your organization can customize other items to be sent here and may also send these logs to a centralized Security Information and Event Management server (SIEM).  Incident Response and Threat Hunters may use logs like these to aid them in investigation.  For this reason, Threat Actors often clear these to cover their tracks.  This is suspicious behavior so we want to test to see if we have alerting set up for this situation.

18)
On the desktop of the VM, double-click "Atomic Docs"
Screenshot
19)
Navigate to T1070.001:
Screenshot

Here you can see the explanation of how this technique is done:

Screenshot
20)
Open Command Prompt as Administrator, and run these commands:
Screenshot
21)
Open Event Viewer back up and navigate to Windows Logs.  Click on Application, Security, and System to view the logs.  You will see all of these have been cleared.
Screenshot

These are just three examples of common techniques that are executed by Threat Actors.  As you can see, Red Canary’s Atomic Red Team Framework spells out how to execute these Techniques in a way that is easy to follow.  The Techniques we used in this lab are some of the easier ones to execute.  These do get more complicated, but as you continue to do these, you will learn as you go and become more comfortable with the more complicated Techniques.  As you execute future test cases, don’t just copy and paste commands or execute pre-built binaries in Atomic Red Team.  Open up scripts, read through them, do the necessary research to actually understand what is happening and how it works before you execute. 

Lab 3

Purple Team Organization and Execution

The other half of the equation is knowing your own organization’s strengths and weaknesses during any phase of an adversary’s chain of attacks.  With this information you can understand where to prioritize remediation and fortification of defenses.

By the end of the lab, you should be able to do the following:

1)
On the Desktop of your VM, click on "Vectr Login"
Screenshot
2)
Log in using the credentials in the Credentials.txt file on the desktop.  It will ask for you to select an Active Environment.  Select HEALTH_THREAT_INDEX.
Screenshot
3)
Navigate to Library > Import Data
Screenshot
4)
On the Desktop exists a file called index-2025-v1.0.2.yml, drag that file into the “import file” box
Screenshot
5)
Click “Submit” on the bottom right

This .yml file is the newest Threat Simulation Index from Security Risk Advisors (SRA).  This contains the most recent index (at the time of the Lab’s creation). These are the most common techniques used by 24 active Threat Actors.  This index is curated by SRA and updated periodically.

6)
At the top of the screen, Navigate to Testing > View All Assessments.  On the bottom right of the Assessments screen, click “Start New Assessment”
Screenshot
Screenshot
7)
Click on TSI – Threat Simulation Index 2025:
Screenshot
8)
Click on “Create” to create the assessment using this template:
New Custom Assessment dialog with Create button highlighted
9)
Navigate to Reporting > MITRE ATT&CK Alignment:
Screenshot
10)
Click on “Assessments” and check the box for 2025 Q2: TSI – Threat Simulation Index:
Screenshot
11)
Click on the grey box for “No Test Coverage” to make it inactive:
Screenshot

Here you will see the MITRE ATT&CK matrix for the index that was just imported.  As you complete test cases and take note of the results, these cells will be color coded based on how strong or weak your organization’s detection/blocking capabilities are for any given test case.

Screenshot

Now that we have created an Assessment, we will create a campaign inside of the assessment.  A campaign is a smaller subset of an existing assessment to test against a more specific group of test cases, for example a campaign for AWS or Azure specifically.  You could also create a campaign for one particular Threat Actor in an assessment with many Threat Actors.  There are many ways you can utilize campaigns within an assessment.

12)
Navigate to Testing > 2025 Q2: TSI – Threat Simulation Index > View All Campaigns.
Screenshot
13)
Click on New Campaign, name it "Purple Team Workshop"
Screenshot
14)
Click the button and Select MITRE and Red Canary as the organizations.
Screenshot
Screenshot

Filter to select relevant TTPs (see next).

TTPs for Documentation:

T1490 – HI – Delete Shadows with vssadmin

Screenshot

T1070.001 – TSI - Clear Windows Event Log entries

Screenshot

T1003.001 – TSI – Dump LSASS memory using Task Manager

Screenshot

T1056 – HI - Keylogger

Screenshot
15)
Click “Save” to save your new campaign
16)
Navigate to Reporting > MITRE ATT&CK Alignment and select the 2025 Q2: TSI – Threat Simulation index assessment.
Screenshot
Screenshot
17)
Next to “Assessments” click on the Filter button and select the Purple Team Workshop campaign:
Screenshot
Screenshot
18)
Click back into the MITRE ATT&CK Matrix to close the menu

You will now see the Purple Team Workshop campaign created under the TSI – Threat Simulation Index in the MITRE ATT&CK Alignment page:

Screenshot
19)
Click into “Clear Windows Event Logs”
Screenshot

This page is where all of the information for the test case resides.  This keeps track of the Status of the test case, the Attack Timeline, the Name and Description of the test, the Operators Guidance, Detection Time, Outcome Notes, and Detection/Prevention guidance, as well as any evidence files such as screenshots of alerts or logs.  It is a very well-organized means of tracking these test cases.  We will simulate the test case outcome. 

20)
Under Defense Activity > SIEM dropdown, select the “Alerted – Medium” outcome
Screenshot

You will see the Test Case outcome at the top right switch to “Success” and Test Case Outcome will show the “Alerted – Medium” outcome that we selected in the dropdown.

21)
In the Outcome Notes section, write “Alerted in SIEM” and then press Save at the bottom right of the page.

You will see the “Clear Windows Event Logs” test case turned green.  This is an indication that the organization has passed this test case.

Screenshot
22)
Open the Keylogging test case.  Under Defense Activity > Endpoint Protection Dropdown, select Blocked – Alerted and then Save at the bottom right. 

This will cause the Keylogging test case to turn green.  You will also see that the Keylogging test case exists in two columns (two tactics or phases).  This is because a Keylogger can be used for both Credential Access as well as Collection of data or other information that a threat actor may want to gather.  It should be noted that some test cases may exist in more than one Tactic, but the test case when opened is the same singular test case.

23)
Open the LSASS Memory test case.  Under Defense Activity > Endpoint Protection dropdown, select “none” and Save at the bottom right. 

The LSASS Memory test case turned red due to this being a completely failed test case.

24)
Open the Inhibit System Recovery test case.  Under Defense Activity > SIEM drop down, select “Centrally Logged” and then Save at the bottom right.

This test case turned orange.  This is still a failure, but it is not as bad as no logging at all as there are some artifacts left from the technique whereas the LSASS Memory technique indicates the organization was completely blind to the technique.

To visualize what a fully completed heat map would look like, we will navigate to a demo index that is pre-populated with results.

25)
Navigate to Assessments and select “Health Threat Index 2022 (Q2)”
Screenshot

Here you should see a heat map of a completed assessment.  The heat map gives an easy means of visualizing which phase of a Threat Actor’s attack chain we have strong defenses, and which need work. 

The idea behind all of this is to allow Incident Response a fighting chance at detecting and eradicating a threat before they are able to complete their objective.  The more test cases you alert or block on, the better those chances become.

Screenshot

The heat map gives an easy means of visualizing which phase of a Threat Actor’s attack chain we have strong defenses, and which need work. 

After an Assessment is completed, the next step is to generate reports that can be disseminated to stakeholders.

26)
Navigate to Reporting > Threat Resilience Scoring:
Screenshot

Here you can see the results of a completed assessment.  The selected assessment had 52 test cases and passed 50% of them.  For the test cases in this assessment, 50% of them were either blocked and/or alerted, while the other 50% were only logged or had no artifacts at all.

Scroll down and view the other charts.  These are all breakdowns of Phases/Tactics along with the outcomes of the testing.  There are several ways this data can be organized and reported upon.  The idea is to show progression as you work with the Blue Team to build logs, alerts, and blocks as necessary to improve your resilience to the Threat Actor(s) you test against.

27)
Navigate to Reports > Kill Chain Summary
Screenshot

Here you can see the breakdown of individual phases within the attack in chart form in Pie Chart form.

28)
Navigate to Reports > Resilience Trending
Screenshot
29)
Under “Assessments” check all 4 boxes for Q1 – Q4:
Screenshot

As you periodically test your environment against particular indices, and of course have the blue team remediate failed test cases, you will generate a resilience trendline that can provide the feedback to leadership that the program is generating value.  This trendline represents the improvement in your organization’s resilience to attacks from your adversaries.

Screenshot
30)
Navigate to Reports > Scorecard:
Screenshot

This page provides breakdowns of the results of testing based on Outcome distribution/counts, which layers of your defense in depth are doing most of the heavy lifting, which phases of the attack chain are you strongest or weakest, as well as breaking down your most successful and least successful campaigns, phases, or techniques.

This data and these charts can be manipulated to fit the needs of your reporting or how stakeholders may want to ingest this information.  Vectr provides a wide variety of reporting methods based on the results of your testing.  This is often updated in new versions of Vectr.

Thank you!
This concludes the Lab portion of Purple Protocol.  Write down any questions you may have and ask away during the review of this lab as well as the Q&A portion of the workshop (if time permits).